[keycloak-user] Only bearer client and Authorization

Ronaldo Hideki Yamada ronaldo.yamada at serpro.gov.br
Fri Jun 28 11:01:13 EDT 2019 

Pedro,

Using JSpolicy also not work, as shown in https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context

but: context.getIdentity() also gets data from token, not internal identity store,

How get UserModel (or any internal user) from a context?

I find a KeycloakIdentity::getUserFromSessionState but method is private.




/**
 * JSPolicy: eh_gestor 
 */ 

var context = $evaluation.getContext();
var identity = context.getIdentity();
var Logger = Java.type("org.jboss.logging.Logger");
var LOG = Logger.getLogger(Java.type("org.keycloak.authorization.policy.provider.js.JSPolicyProvider"))
LOG.info(identity.getAttributes().toMap().toString());

if (identity.hasClientRole('suite-sc', 'gestor')) {
    $evaluation.grant();
}

/* EOF */



# Log output when client roles isn't mapped to token:
2019-06-28 11:35:58,823 INFO  [[JavaClass org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-102) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], typ=[Bearer], exp=[1561734358], session_state=[c73b7532-55d6-4d49-a1d1-662fe9fac369], iat=[1561732558], jti=[0873781a-b595-4a50-a4e2-33730cede059]}


# Log output when client roles is mapped to token:
2019-06-28 11:51:42,295 INFO  [[JavaClass org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-107) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], kc.client.suite-sc.roles=[cadastrador, gestor], typ=[Bearer], exp=[1561735302], session_state=[af72aa12-3e94-4ebe-9bc7-a47bffeecef1], iat=[1561733502], jti=[f8ef05a1-44ab-4c99-863c-1875a82cdd8f]}





Ronaldo Hideki Yamada
SUPES/ESDEA/ESCSP

----- Mensagem original -----
De: "Pedro Igor Silva" <psilva at redhat.com>
Para: "ronaldo.yamada serpro" <ronaldo.yamada at serpro.gov.br>
Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
Enviadas: Quarta-feira, 26 de junho de 2019 16:56:53
Assunto: Re: [keycloak-user] Only bearer client and Authorization

Hi Ronaldo, 
That is a good point and probably something we can improve. 

Currently, the roles are always obtained from the bearer token or subject_token you are using to make the authorization request. I think we could also fall back to checking roles by querying our identity stores internally. 

One thing you could do for now though is writing a JS policy to perform RBAC [1]. 

[1] [ https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context | https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context ] 

On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < [ mailto:ronaldo.yamada at serpro.gov.br | ronaldo.yamada at serpro.gov.br ] > wrote: 


Hi, 

I have a following use case: 

One client A1 (web) makes a authentication code flow and gets a access_token. 

I want use this access token as Bearer token T1[azp=A1] in backend client B1 (api) with authorization enabled. 

And validate permissions on Resources#Scopes in client B1 mapped by client B1 RolePolicy 

I already gets work only if I add builtin protocol mapper "User Client Role" to first client A1 and insert client roles of B1 on token T1. 

But this largely increases size of access_token T1 and I have limit of 4k. 

How make Keycloak evaluate authz permissions [RolePolicy] aganist User client role on internal Database, instead information on first token T1? 




Ronaldo Hideki Yamada 

- 


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco." 

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure." 
_______________________________________________ 
keycloak-user mailing list 
[ mailto:keycloak-user at lists.jboss.org | keycloak-user at lists.jboss.org ] 
[ https://lists.jboss.org/mailman/listinfo/keycloak-user | https://lists.jboss.org/mailman/listinfo/keycloak-user ] 



-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."

More information about the keycloak-user mailing list